Late last year, Kaspersky warned of the high popularity Ztorg-infected applications had in Google Play, where one of them gathered over 50,000 downloads within a single day. Millions of users downloaded the various applications that were infected with the Trojan before being published in the official application store.

Now, the security firm says that newly observed infected apps no longer use exploits to gain root rights on the infected devices, although they continue to show malicious behavior. The programs, Kaspersky reveals, pack a Trojan-SMS that can send Premium rate SMS and delete incoming SMS.

Dubbed Magic browser, one of the applications was uploaded to Google Play on May 15, 2017 and has been installed more than 50,000 times before being removed from the store. Called Noise Detector, a second application was downloaded more than 10,000 times.

Both apps include a Ztorg Trojan variant designed to hinder analysis by waiting for 10 minutes before first attempting to contact the command and control (C&C) server. The malware makes two GET requests to the C&C and includes part of the International Mobile Subscriber Identity (IMSI) in both of them.

The first request contains IMSI’s first three digits, which are also the MCC (mobile country code), while the second request includes the first five digits, where the fourth and fifth are the MNC (mobile network code). This allows cybercriminals to identify the country and mobile operator of the infected user and determine which premium rate SMS should be sent.

The server responds with an encrypted JSON file with some data that should include a list of offers, with each offer carrying a string field called ‘url’, which may contain an actual URL. The Trojan tries to open the field using its own class and, if the value is an URL, the content is displayed to the user. If the field contains other data and an “SMS” substring, a message containing the text supplied is sent to the number provided.

Just after receiving URLs to visit or SMS messages to send, the Trojan turns off the device sound and starts deleting all incoming SMS, Kaspersky’s Roman Unuchek explains.

Malicious apps featuring the same functionality but distributed outside Google Play were also discovered, resembling more of an additional module for some Trojan, rather than a standalone malware. These threats were installed by a regular Ztorg Trojan along with other Ztorg modules, the researcher discovered.

Analysis of the JS files received by these Trojans revealed that they contained a function called “getAocPage,” most likely referencing to AoC (Advice of Charge). These files, Unuchek says, were designed to perform clickjacking attacks on web pages with WAP billing, which allowed the Trojan to steal money from the user’s mobile account.

“WAP billing works in a similar way to Premium rate SMS, but usually in the form of subscriptions and not one-time payments as most Premium rate SMS. It means that URLs which the Trojan receives from the C&C may not only be advertising URLs, but also URLs with WAP billing subscriptions,” the researcher explains.

All of the observed Trojans, including the Google Play ones, attempt to send SMS messages from the infected devices. Magic browser, for example, tries to send SMS from 11 different places in its code. This means that it can send messages on different Android versions and devices.

“The Magic browser app was promoted in a similar way to other Ztorg Trojans. Both the Magic browser and Noise detector apps shared code similarities with other Ztorg Trojans. Furthermore, the latest version of the Noise detector app contains the encrypted file girl.png in the assets folder of the installation package. After decryption, this file become a Ztorg Trojan,” the researcher notes.

The researcher also discovered other Trojans packing the same functionality, which were installed by a regular Ztorg Trojan. A malicious app called Money Converter observed in April 2017 was using Accessibility Services to install apps from Google Play without user interaction, even without root access. The app had over 10,000 installs in Google Play.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.